A pre-auth SQL injection in the LiteLLM AI gateway lets attackers read and potentially modify the proxy's database, including the API credentials it brokers, and CISA added it to the KEV catalog on 2026-05-08.
What Is It
LiteLLM is a proxy server (AI Gateway) that fronts LLM APIs in OpenAI-compatible format. In versions 1.81.16 through 1.83.6, the database query used during proxy API key validation interpolated the caller-supplied key value directly into the SQL text instead of passing it as a bound parameter (CWE-89). An unauthenticated attacker can send a specially crafted Authorization header to any LLM API route, for example POST /chat/completions, and reach the vulnerable query through the proxy's error-handling path. Successful exploitation lets the attacker read data from the proxy's database and potentially modify it.
Why It Matters
NVD scores this 9.8 CRITICAL (CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H); the secondary CVSS 4.0 score is 9.3. No authentication, no user interaction, network-reachable, about as clean a pre-auth path as a SQLi gets. The blast radius is what makes this acute: LiteLLM exists to hold and broker upstream LLM provider credentials. Database access here means harvesting those keys, pivoting to OpenAI / Anthropic / Azure / Bedrock accounts, and racking up spend or exfiltrating tenant data through the proxy. CISA added the CVE to the Known Exploited Vulnerabilities catalog on 2026-05-08 with a federal remediation due date of 2026-05-11, a three-day window, which signals confirmed in-the-wild exploitation. Ransomware use is listed as Unknown.
What's Vulnerable
- Product: BerriAI LiteLLM
- Affected versions: >= 1.81.16, < 1.83.7
- CPE:
cpe:2.3:a:litellm:litellm:*:*:*:*:*:*:*:* - Weakness: CWE-89 (SQL Injection)
Patch Status
Fixed in LiteLLM 1.83.7. CISA's required action: apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Federal due date was 2026-05-11.